How to Use Azure AD for credential verification
It is possible to expose Azure AD as a secure LDAP after Azure AD Domain Services has been enabled. This article will not cover how to configure Azure AD but will address how to configure the Curity Identity Server to leverage the secure LDAP (LDAPS) interface of Azure AD as a Data Source and with that used as a Credential Manager for credential verification.
An installation of the Curity Identity Server. If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.
Curity can be configured to use LDAP as a Data Source out-of-the-box. With some specific configurations we can allow Curity to connect to a secure LDAP and then use that Data Source in a Credential Manager that will verify a users credentials in the authentication process.
Server Trust Store¶
Curity needs the Azure AD certificate in order to communicate with Azure AD and the secure LDAP interface.
If the certificate is not available it can be obtain directly in the Curity Admin UI. Go to Facilities in the top right corner then add a new Server Trust Store. Select the host option and enter the Azure AD secure LDAP host and port, Ex.
aaddscontoso.com:636, click Next, give it a name and then click Ok.
Obtain certificate using Alternatively the certificate can be obtained using
openssl. Execute the following from a command prompt:
1 2 3
openssl s_client -connect aaddscontoso.com:636 \ -showcerts </dev/null 2>/dev/null | openssl x509 \ -outform PEM > azure_ad_ldap_server.pem
The downloaded certificate can be added using the File option, browse to
azure_ad_ldap_server.pem, no password should be needed.
The certificate can also be added using the Text option and is simply a copy and paste of the certificate itself. This is described in the Curity Admin UI.
The bulk of the configuration on the Curity Identity Server side in using Azure AD for authentication lies in configuring an LDAP Data Source. It is not a complicated configuration but naturally all things need to align with how Azure AD, Azure AD Domain Services and secure LDAP is configured.
In the Curity Admin UI, go to Facilities, Click New to add a new Data Source. Give it a name,
Azure_AD for example. The below table shows an example configuration for the LDAP Data Source.
|Client ID||CN=John Doe,OU=AADDC Users,DC=aaddscontoso,DC=com|
|Default Root||OU=AADDC Users,DC=aaddscontoso,DC=com|
|Disable Hostname Verification||disabled|
|Ldap Server Type||active-directory|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
<config xmlns="http://tail-f.com/ns/config/1.0"> <facilities xmlns="https://curity.se/ns/conf/base"> <data-sources> <data-source> <id>Azure_AD</id> <ldap xmlns="https://curity.se/ns/conf/data-access/ldap"> <hostname>aaddscontoso.com</hostname> <port>636</port> <ldaps>true</ldaps> <tls> <use-truststore>true</use-truststore> </tls> <client-id>CN=John Doe,OU=AADDC Users,DC=aaddscontoso,DC=com</client-id> <client-secret>Pa$$w0rd1!</client-secret> <default-root>OU=AADDC Users,DC=aaddscontoso,DC=com</default-root> </ldap> </data-source> </data-sources> </facilities> </config>
Make sure to use the correct host for your environment and that the port used (636 is default) is accessible from the Curity Identity Server.
The Client ID and Secret is needed if anonymous bind is not allowed. Note the format of the Client ID and make sure the user has permissions to bind to the secure LDAP.
Default Root is the base of the LDAP tree where Curity will start its lookup when performing verification of the credentials.
The rest of the configurations can be left as default. Additional configurations could obviously be made as needed but are not covered by this tutorial.
With a Data Source created we can now create a Credentials Manager for Azure AD. Go to Facilities and then add a new Credential Manager.
Give it a name,
Azure_CM for example. Set the Algorithm Type to
plaintext and the Data Source to the newly created Data Source.
With the Trust Store configured, Data Source and the Credential Manager created we can now leverage Azure AD and its secure LDAP interface to check the credentials of a user in the authentication process.
As an example, an HTML Form Authenticator could be used for authentication where it is configured to use the Credential Manager that is configured to use Azure AD as the Data Source.
- Installing the Curity Identity Server
- Details on the Curity Basic Setup Wizard
- Azure AD Domain Services
- Tutorial - Configure LDAPS for Azure Active Directory Domain Services | Microsoft Docs
Let’s Stay in Touch!
Get the latest on identity management, API Security and authentication straight to your inbox.